SAP Enterprise Application Software

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content

CVE-2025-42999 - May 13, 2025

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries

CVE-2025-31324 9.8 - Critical - April 24, 2025

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

Unrestricted File Upload

SAP BusinessObjects BI Platform Information Disclosure Vulnerability

CVE-2024-32732 - December 10, 2024

Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

SAP Commerce Cloud Assisted Service Module Information Disclosure Vulnerability

CVE-2024-47577 - December 10, 2024

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.

Cleartext Transmission of Sensitive Information

SAP NetWeaver ABAP Privilege Escalation Vulnerability

CVE-2024-47585 - December 10, 2024

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are distinguished, a single authorization is applied for both, which may contribute to these risks. On successful exploitation, this can result in potential security concerns. However, it has no impact on the integrity and availability of the application and may have only a low impact on data confidentiality.

AuthZ

SAP NetWeaver Administrator SSRF Vulnerability

CVE-2024-54197 - December 10, 2024

SAP NetWeaver Administrator(System Overview) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in Server-Side Request Forgery (SSRF) which could have a low impact on integrity and confidentiality of data. It has no impact on availability of the application.

SSRF

SAP NetWeaver AS ABAP RFC Request Credential Exposure Vulnerability

CVE-2024-54198 - December 10, 2024

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

Improper Control of Dynamically-Identified Variables

SAP NetWeaver AS Java (System Landscape Directory) Authorization Bypass Vulnerability

CVE-2024-42372 - November 12, 2024

Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.

AuthZ

SAP NetWeaver ABAP Kernel Null Pointer Dereference Denial of Service Vulnerability

CVE-2024-47586 - November 12, 2024

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the system to be temporarily unavailable. There is no impact on Confidentiality or Integrity.

NULL Pointer Dereference

SAP NetWeaver Java Software Update Manager 1.1 Credential Exposure Vulnerability

CVE-2024-47588 - November 12, 2024

In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the credentials from the logs. This leads to a high impact on confidentiality, with no impact on integrity or availability.

Insufficiently Protected Credentials

SAP NetWeaver AS Java Unauthenticated User ID Brute Force Vulnerability

CVE-2024-47592 - November 12, 2024

SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.

SAP NetWeaver ABAP Server File Disclosure Vulnerability

CVE-2024-47593 - November 12, 2024

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application's integrity or availability.

SAP NetWeaver AS ABAP Privilege Escalation Vulnerability

CVE-2024-47595 7.1 - High - November 12, 2024

An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application.

Incorrect Privilege Assignment

SAP BusinessObjects Business Intelligence Platform

CVE-2024-37179 6.5 - Medium - October 08, 2024

SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application.

Unrestricted File Upload

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability

CVE-2024-45277 4.3 - Medium - October 08, 2024

The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.

Prototype Pollution

SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability

CVE-2024-45278 5.4 - Medium - October 08, 2024

SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.

XSS

Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method

CVE-2024-45282 5.3 - Medium - October 08, 2024

Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.

Trusting HTTP Permission Methods on the Server Side

SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs

CVE-2024-47594 5.4 - Medium - October 08, 2024

SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised.

XSS

Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will

CVE-2024-44112 4.3 - Medium - September 10, 2024

Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability.

AuthZ

Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform

CVE-2024-41728 2.7 - Low - September 10, 2024

Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.

AuthZ

SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program

CVE-2024-44114 2.7 - Low - September 10, 2024

SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.

AuthZ

SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users

CVE-2024-42373 5.4 - Medium - August 13, 2024

SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically restricted, causing minimal impact on the integrity of the application.

AuthZ

Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction

CVE-2024-41734 4.3 - Medium - August 13, 2024

Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.

AuthZ

SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.

CVE-2024-39591 5.3 - Medium - August 13, 2024

SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.

AuthZ

Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server

CVE-2024-33005 6.3 - Medium - August 13, 2024

Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications.

AuthZ

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls

CVE-2024-41732 5.4 - Medium - August 13, 2024

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read or modify information. There is no impact on availability of application.

SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network

CVE-2024-41731 4.3 - Medium - August 13, 2024

SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.

Unrestricted File Upload

SAP shared service framework

CVE-2024-42377 4.3 - Medium - August 13, 2024

SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application

AuthZ

SAP Shared Service Framework does not perform necessary authorization check for an authenticated user

CVE-2024-42376 6.5 - Medium - August 13, 2024

SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application.

AuthZ

SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network

CVE-2024-42375 4.3 - Medium - August 13, 2024

SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.

Unrestricted File Upload

SAP CRM ABAP (Insights Management)

CVE-2024-41737 5 - Medium - August 13, 2024

SAP CRM ABAP (Insights Management) allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

SSRF

Under certain conditions SAP Permit to Work

CVE-2024-41736 4.3 - Medium - August 13, 2024

Under certain conditions SAP Permit to Work allows an authenticated attacker to access information which would otherwise be restricted causing low impact on the confidentiality of the application.

Information Disclosure

SAP Commerce Backoffice does not sufficiently encode user-controlled inputs

CVE-2024-41735 5.4 - Medium - August 13, 2024

SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application.

XSS

In SAP Commerce, valid user accounts can be identified during the customer registration and login processes

CVE-2024-41733 5.3 - Medium - August 13, 2024

In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker must already know the e-mail that they wish to test for. The impact on confidentiality therefore is low and no impact to integrity or availability

Information Disclosure

In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user

CVE-2024-41730 9.8 - Critical - August 13, 2024

In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.

AuthZ

BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source

CVE-2024-42374 8.2 - High - August 13, 2024

BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application.

aka Blind XPath Injection

Some OCC API endpoints in SAP Commerce Cloud

CVE-2024-33003 9.1 - Critical - August 13, 2024

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

Information Disclosure

SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network

CVE-2024-28166 4.3 - Medium - August 13, 2024

SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.

Unrestricted File Upload

SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges

CVE-2024-37175 6.5 - Medium - July 09, 2024

SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to access some sensitive information.

AuthZ

SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user

CVE-2024-37172 5.4 - Medium - July 09, 2024

SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.

AuthZ

SAP Transportation Management (Collaboration Portal)

CVE-2024-37171 5 - Medium - July 09, 2024

SAP Transportation Management (Collaboration Portal) allows an attacker with non-administrative privileges to send a crafted request from a vulnerable web application. This will trigger the application handler to send a request to an unintended service, which may reveal information about that service. The information obtained could be used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. There is no effect on integrity or availability of the application.

SSRF

Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files

CVE-2024-34692 4.6 - Medium - July 09, 2024

Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application.

Unrestricted File Upload

WebFlow Services of SAP Business Workflow

CVE-2024-34689 5 - Medium - July 09, 2024

WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

SSRF

Under certain conditions, the memory of SAP GUI for Windows contains the password used to log on to an SAP system, which might

CVE-2024-39600 4.2 - Medium - July 09, 2024

Under certain conditions, the memory of SAP GUI for Windows contains the password used to log on to an SAP system, which might allow an attacker to get hold of the password and impersonate the affected user. As a result, it has a high impact on the confidentiality but there is no impact on the integrity and availability.

Information Disclosure

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges

CVE-2024-39592 6.5 - Medium - July 09, 2024

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.

AuthZ

SAP Landscape Management allows an authenticated user to read confidential data disclosed by the REST Provider Definition response

CVE-2024-39593 5.7 - Medium - July 09, 2024

SAP Landscape Management allows an authenticated user to read confidential data disclosed by the REST Provider Definition response. Successful exploitation can cause high impact on confidentiality of the managed entities.

Information Disclosure

SAP CRM (WebClient UI Framework)

CVE-2024-39598 7.7 - High - July 09, 2024

SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

SSRF

Due to weak encoding of user-controlled input in SAP NetWeaver Knowledge Management XMLEditor which

CVE-2024-34685 6.1 - Medium - July 09, 2024

Due to weak encoding of user-controlled input in SAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application but it has a low impact on its confidentiality and integrity.

XSS

Due to insufficient input validation, SAP CRM WebClient UI

CVE-2024-37173 6.1 - Medium - July 09, 2024

Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.

XSS

Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability

CVE-2024-37174 6.1 - Medium - July 09, 2024

Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.

XSS